Requirement 7: Test payment applications to address vulnerabilities and maintain payment application updates
Details about how requirement 7 and subrequirements 7.1, 7.2, and 7.3 are fulfilled.
Requirement 7.1
Software vendors must establish a process to identify and manage vulnerabilities, as follows:
- 7.1.1 Identify new security vulnerabilities using reputable sources for obtaining security vulnerability information.
- Organizational procedures are implemented to keep this information current.
- 7.1.2 Assign a risk ranking to all identified vulnerabilities, including vulnerabilities involving any underlying software or systems provided with or required by the payment application
- On our intranet, we maintain a section that collects common security vulnerabilities as well a risk assessment regarding the IBM® Safer Payments software product.
- 7.1.3 Test payment applications and updates for the presence of vulnerabilities prior to release
- A collection of automated tests verifies that there are no known vulnerabilities in the new IBM Safer Payments release. Those tests are run before a release is delivered to customers and are documented within the factory staging.
Requirement 7.2
Software vendors must establish a process for timely development and deployment of security patches and upgrades.
- 7.2.1 Patches and updates are delivered to customers in a secure manner with a known chain of trust.
- A process for the development and deployment of patches and upgrades is established. The same process is used whether the root cause is a security-related issue or just a technical/functional related issue.
- 7.2.2 Patches and updates are delivered to customers in a manner that maintains the integrity of the patch and update code.
- Patches are delivered through Fixcentral. Software is delivered using a secure web server (https protocol). Installation media is protected by SHA256 hash that is provided via the Release Notes in the IBM Support Portal. Any patches and updates are integrity tested before delivery. Before the installation, the customer must manually test the integrity via the checksum as described in Downloading the installation image.
- 7.2.3 Provide instructions for customers about secure installation of patches and updates.
- Where to find more information provides a link to the IBM Support Portal and Fixcentral where Technotes, patches, and updates can be securely downloaded.
Requirement 7.3
Include Release Notes for all application updates, including details and impact of the update, and how the version number was changed to reflect the application update.
A process to include Release Notes for all patches or upgrades is established. The Release Notes and the version number are publicly available on the IBM Support Portal. If a patch for a PA-DSS certified release is delivered, a vendor change document is created. The document describes the impact of all changes according to PCI DSS compliance and why it was necessary. The vendor change analysis document can be requested from your account manager.